concurrently secure protocols
play

Concurrently Secure Protocols Huijia (Rachel) Lin Rafael Pass MIT - PowerPoint PPT Presentation

Jun 13, 2023 •125 likes •1.11k views

Black-Box Constructions of Concurrently Secure Protocols Huijia (Rachel) Lin Rafael Pass MIT & BU Cornell Secure MPC Secure MPC Goal: Allow a set of distrustful parties to compute ANY function f on their own Secure MPC Goal: Allow a set

  1. Black-Box Constructions of Concurrently Secure Protocols Huijia (Rachel) Lin Rafael Pass MIT & BU Cornell

  2. Secure MPC

  3. Secure MPC Goal: Allow a set of distrustful parties to compute ANY function f on their own

  4. Secure MPC Goal: Allow a set of distrustful parties to compute ANY function f on their own

  5. Secure MPC Goal: Allow a set of distrustful parties to compute ANY function f on their own Correctness What to get---the outputs Privacy What to hide---the private inputs

  6. Secure MPC Goal: Allow a set of distrustful parties to compute ANY function f on their own Correctness What to get---the outputs Privacy What to hide---the private inputs Even when no honest majority

  7. Simulation Paradigm REAL IDEAL

  8. Simulation Paradigm REAL IDEAL  “as correct & private as”

  9. Simulation Paradigm REAL IDEAL  “as correct & private as”

  10. Simulation Paradigm REAL IDEAL   A R “as correct & private as”

  11. Simulation Paradigm REAL IDEAL   A I  A R “as correct & private as”

  12. Simulation Paradigm REAL IDEAL Simulator   A I  A R “as correct & private as”

  13. Simulation Paradigm REAL IDEAL Simulator   A I  A R x 1 y 1 x 2 y 2 x 1 y 1 x 2 y 2 “as correct & private as” Correctness: The output of every player in ideal is the same as in real

  14. Simulation Paradigm REAL IDEAL Simulator   A I  A R x 1 y 1 x 2 y 2 x 1 y 1 x 2 y 2 “as correct & private as” Correctness: The output of every player in ideal is the same as in real Privacy: The simulator can learn whatever the adv learns

  15. Simulation Paradigm REAL IDEAL Simulator   A I  A R x 1 y 1 x 2 y 2 x 1 y 1 x 2 y 2 “as correct & private as” Correctness: The output of every player in ideal is the same as in real Privacy: The simulator can learn whatever the adv learns

  16. Simulation Paradigm REAL IDEAL Simulator   A I  A R x 1 y 1 x 2 y 2 x 1 y 1 x 2 y 2 “as correct & private as” Correctness: The output of every player in ideal is the same as in real Privacy: The simulator can learn whatever the adv learns In this talk, we focus on static malicious corruption

  17. The Concurrent Model

  18. The Concurrent Model MANY sets of players executing MANY different protocols all at once [DDN, DNS, GK, Fe, KPR, RK, CKPR, KP, PRS, C...and many others]

  19. The Concurrent Model MANY sets of players executing MANY different protocols all at once [DDN, DNS, GK, Fe, KPR, RK, CKPR, KP, PRS, C...and many others]

  20. Concurrent Security (informally) REAL IDEAL  Many executions of Many executions with different protocols INDEPENDENT trusted parties

  21. Concurrent Security (informally) REAL IDEAL  Universal Composibility (UC) [Can00] Many executions of Many executions with different protocols INDEPENDENT trusted parties

  22. Concurrent Security (informally) REAL IDEAL  Universal Composibility (UC) [Can00] Impossible [CF01, CKF03] Many executions of Many executions with different protocols INDEPENDENT trusted parties

  23. Super Polynomial Time Simulation ( SPS ) REAL IDEAL 

  24. Super Polynomial Time Simulation ( SPS ) REAL IDEAL  — SPS [Pas03, BS05, LPV09, GGJS12]

  25. Super Polynomial Time Simulation ( SPS ) REAL IDEAL  — SPS [Pas03, BS05, LPV09, GGJS12]

  26. Super Polynomial Time Simulation ( SPS ) REAL IDEAL  — SPS [Pas03, BS05, LPV09, GGJS12] — Angel-based Security Model [PS04, MMY06] — UC with super-poly helpers [CLP10]

  27. Super Polynomial Time Simulation ( SPS ) REAL IDEAL Feasibility Results Only  — SPS [Pas03, BS05, LPV09, GGJS12] — Angel-based Security Model [PS04, MMY06] — UC with super-poly helpers [CLP10]

  28. Super Polynomial time (SPS) Security Feasibility Results Only Due to the Non-Black-Box constructions ( Lots of Karp reductions)

  29. Super Polynomial time (SPS) Security Feasibility Results Only Naturally, Solution: Black-box Constructions ( No Karp reductions)

  30. Super Polynomial time (SPS) Security Feasibility Results Only Naturally, Solution: Black-box Constructions ( No Karp reductions) Efficient Protocols

  31. BB MPC Protocols

  32. BB MPC Protocols In the stand alone setting---Solved! O(1) round BB MPC, f/ minimal assumption semi-honest OT [Kil88,IPS08,IKLP06,Hai08,Wee10,Goy11]

  33. BB MPC Protocols In the stand alone setting---Solved! O(1) round BB MPC, f/ minimal assumption semi-honest OT [Kil88,IPS08,IKLP06,Hai08,Wee10,Goy11] In the concurrent setting Only unconditionally secure UC protocols f/ strong set-ups e.g. Ideal OT [Kil88,IPS08], hardware tokens [GISVW10]

  34. BB MPC Protocols In the stand alone setting---Solved! O(1) round BB MPC, f/ minimal assumption semi-honest OT [Kil88,IPS08,IKLP06,Hai08,Wee10,Goy11] In the concurrent setting Only unconditionally secure UC protocols f/ strong set-ups e.g. Ideal OT [Kil88,IPS08], hardware tokens [GISVW10] Can we have BB concurrently secure protocols in the plain model?

  35. Yes! Our Result (informal) : BB construction of concurrently secure MPC protocols • In the plain model • Based on minimal assumption Semi-Honest OT • Security in the UC with super-poly helper model • Implies super-polynomial time simulation security • Closed under universal composition

  36. Yes! Our Result (informal) : BB construction of concurrently secure MPC protocols • In the plain model • Based on minimal assumption Semi-Honest OT • Security in the UC with super-poly helper model • Implies super-polynomial time simulation security • Closed under universal composition How?

  38. Any Functionality [Kil88,IPS08,GMW87,BGW88]: Unconditional UC-security Ideal Oblivious Transfer Box F OT

  39. Any Functionality [Kil88,IPS08,GMW87,BGW88]: Unconditional UC-security Ideal Oblivious Transfer Box F OT BB Stand-alone Semi-honest OT SH-OT

  40. Any Functionality [Kil88,IPS08,GMW87,BGW88]: Unconditional UC-security Ideal Oblivious Transfer Box F OT [IKLP06,Hai08,Wee10,Goy11] BB Stand-Alone Security Stand-alone Semi-honest OT SH-OT

  41. Any Functionality [Kil88,IPS08,GMW87,BGW88]: Unconditional UC-security Ideal Oblivious Transfer Box F OT This work [IKLP06,Hai08,Wee10,Goy11] BB Stand-Alone Security UC with Super-Poly Helper Stand-alone Semi-honest OT SH-OT

  42. Any Functionality [Kil88,IPS08,GMW87,BGW88]: Unconditional UC-security Ideal Oblivious Transfer Box F OT This work [IKLP06,Hai08,Wee10,Goy11] BB Stand-Alone Security UC with Super-Poly Helper Stand-alone Semi-honest OT SH-OT The main tool: BB CCA-Secure Commitments [CLP10]

  43. CCA-Secure Commitments

  44. CCA-Secure Commitments The commitment analogue of CCA2 encryption.

  45. CCA-Secure Commitments The commitment analogue of CCA2 encryption. C(y 3 ) A O C( x ) C(y 1 ) C(y 2 )

  46. CCA-Secure Commitments The commitment analogue of CCA2 encryption. C(y 3 ) y 3 A O C( x ) C(y 1 ) y 1 C(y 2 ) y 2 O is a committed-value oracle If valid com, y = the committed value Else if invalid com, y = bot

  47. CCA-Secure Commitments The commitment analogue of CCA2 encryption. C(y 3 ) y 3 A O C( x ) C(y 1 ) y 1 C(y 2 ) y 2 O is a committed-value oracle If valid com, y = the committed value Else if invalid com, y = bot Note: Original definition in [CLP10] considers a decommitment oracle. (with black-box construction, we can only achieve the weaker notion.)

  48. CCA-Secure Commitments The commitment analogue of CCA2 encryption. C(y 3 ) y 3 A O C( x ) C(y 1 ) y 1 C(y 2 ) y 2 Chosen-Commitment-Attack (CCA) security: Either A forwards the left commitment to the right LHS is hiding --- view of A indistinguishable Or

  49. Concurrent Non-Malleable Commitments C(y 3 ) A C( x ) C(y 1 ) C(y 2 )

  50. Concurrent Non-Malleable Commitments C(y 3 ) A C( x ) C(y 1 ) C(y 2 ) Non-Malleability Either A copies the left commitment to the right Or x and (y 1 , y 2 , y 3 ) independent --- view of A + (y 1 , y 2 , y 3 ) indistinguishable

  51. Concurrent Non-Malleable Commitments C(y 3 ) A C( x ) C(y 1 ) C(y 2 ) O y 1 y 3 y 2 Non-Malleability Either A copies the left commitment to the right Or x and (y 1 , y 2 , y 3 ) independent --- view of A + (y 1 , y 2 , y 3 ) indistinguishable

  52. Concurrent Non-Malleable Commitments C(y 3 ) A C( x ) C(y 1 ) C(y 2 ) O y 1 y 3 y 2 Non-Malleability Either A copies the left commitment to the right Or x and (y 1 , y 2 , y 3 ) independent --- view of A + (y 1 , y 2 , y 3 ) indistinguishable CCA security  Non-Malleability

  53. Theorem 1: OWF  BB construction of CCA commitments

  54. Theorem 1: OWF  BB construction of CCA commitments Theorem 2: CCA commitments + SH-OT  BB implementation of F OT

  55. Theorem 1: OWF  BB construction of CCA commitments Proof: [CLP10]---Non-BB CCA commitments + [PW08]---BB trapdoor commitments + [CDMW08,09]---Cut & choose for consistency Theorem 2: CCA commitments + SH-OT  BB implementation of F OT

  56. Theorem 1: OWF  BB construction of CCA commitments Proof: [CLP10]---Non-BB CCA commitments + [PW08]---BB trapdoor commitments + [CDMW08,09]---Cut & choose for consistency Theorem 2: CCA commitments + SH-OT  BB implementation of F OT

  57. Theorem 2: CCA commitments + SH-OT  BB implementation of F OT

Recommend

How Secure are Secure How Secure are Secure Interdomain Routing Protocols? Interdomain Routing

How Secure are Secure How Secure are Secure Interdomain Routing Protocols? Interdomain Routing

DIMACS Workshop On Secure Routing March 10, 2010 How Secure are Secure How Secure are Secure Interdomain Routing Protocols? Interdomain Routing Protocols? $ $ Sharon Goldberg Microsoft Research & Boston University y Michael Schapira

701 views • 54 slides
Secure Multi-Party Computation Lecture 17 GMW & BGW Protocols MPC Protocols MPC Protocols

Secure Multi-Party Computation Lecture 17 GMW & BGW Protocols MPC Protocols MPC Protocols

Secure Multi-Party Computation Lecture 17 GMW & BGW Protocols MPC Protocols MPC Protocols Yao s Garbled Circuit : 2-Party SFE secure against passive adversaries MPC Protocols Yao s Garbled Circuit : 2-Party SFE secure against

2.07k views • 85 slides
Cryptographic protocols Cryptographic protocols small programs designed to secure Introduction

Cryptographic protocols Cryptographic protocols small programs designed to secure Introduction

Cryptographic protocols Cryptographic protocols small programs designed to secure Introduction to cryptographic protocols communication (various security goals) Bruno Blanchet use cryptographic primitives (e.g. encryption, hash function,

451 views • 14 slides
Secure Communica-on Protocols Today SSL/TLS Protec-on for web browsing / transac-ons

Secure Communica-on Protocols Today SSL/TLS Protec-on for web browsing / transac-ons

Secure Communica-on Protocols Today SSL/TLS Protec-on for web browsing / transac-ons SSH Secure shell (remote login) IPSec IP Security suite, originally for use with IPv6 SSL/TLS Secure Sockets Layer / Transport Layer

322 views • 18 slides
TLS/SSL TLS (Transport Layer Security) A suite of protocols to provide secure communication

TLS/SSL TLS (Transport Layer Security) A suite of protocols to provide secure communication

TLS/SSL TLS (Transport Layer Security) A suite of protocols to provide secure communication Confidentiality by applying block & stream ciphers - Integrity with MACs - Authenticity with certificates - Predecessor: SSL (secure

557 views • 13 slides
Cryptographic Approaches for Securing Routing Protocols Adrian Perrig perrig@cmu.edu Why Secure

Cryptographic Approaches for Securing Routing Protocols Adrian Perrig perrig@cmu.edu Why Secure

Cryptographic Approaches for Securing Routing Protocols Adrian Perrig perrig@cmu.edu Why Secure Routing? Current routing protocols assume trusted environment! Even misconfigurations severely disrupt Internet routing Secure routing

245 views • 22 slides
Il Ilan Orlov ov (BGU GU) ) Eran Omri (BIU) We explore 1/p-secure multiparty

Il Ilan Orlov ov (BGU GU) ) Eran Omri (BIU) We explore 1/p-secure multiparty

Yehuda Lindell (BIU) Amos Beimel (BGU BGU) Il Ilan Orlov ov (BGU GU) ) Eran Omri (BIU) We explore 1/p-secure multiparty protocols wi without out an honest majority Positive result: 1/p-secure protocols for cons

487 views • 27 slides
OperationCheckpoint: SDN Application Control Workshop on Secure Network Protocols (NPSec14) 19

OperationCheckpoint: SDN Application Control Workshop on Secure Network Protocols (NPSec14) 19

OperationCheckpoint: SDN Application Control Workshop on Secure Network Protocols (NPSec14) 19 October 2014 Sandra Scott-Hayward, Christopher Kane and Sakir Sezer s.scott-hayward@qub.ac.uk Centre for Secure Information Technologies (CSIT)

359 views • 20 slides
Practical Secure Two-Party Computation and Applications Lecture 4: Hardware-Assisted

Practical Secure Two-Party Computation and Applications Lecture 4: Hardware-Assisted

Practical Secure Two-Party Computation and Applications Lecture 4: Hardware-Assisted Cryptographic Protocols Estonian Winter School in Computer Science 2016 Motivation 2 Two Areas Cryptographic Protocols Secure Hardware strong security

759 views • 52 slides
GASP: a Generic Approach to Secure network Protocols Olivier Levillain May 13th 2020 O.

GASP: a Generic Approach to Secure network Protocols Olivier Levillain May 13th 2020 O.

GASP: a Generic Approach to Secure network Protocols Olivier Levillain May 13th 2020 O. Levillain GASP 1/39 Agenda Introduction The Need for Robust Parsers A Platform for Binary Parser Generators Animating Protocols Fuzzing

977 views • 74 slides
Cryptographic Protocols 3. Broadcast 4. Blockchain Spring 2020 Part 1 Broadcast / Byzantine

Cryptographic Protocols 3. Broadcast 4. Blockchain Spring 2020 Part 1 Broadcast / Byzantine

Cryptographic Protocols 1. Interactive Proofs and Zero-Knowledge Protocols 2. Secure Multi-Party Computation Cryptographic Protocols 3. Broadcast 4. Blockchain Spring 2020 Part 1 Broadcast / Byzantine Agreement Secure Multi-Party

170 views • 3 slides
FIT5124 Advanced Topics in Security Lecture 5: Secure Computation Protocols I Zero-Knowledge

FIT5124 Advanced Topics in Security Lecture 5: Secure Computation Protocols I Zero-Knowledge

FIT5124 Advanced Topics in Security Lecture 5: Secure Computation Protocols I Zero-Knowledge Proofs Ron Steinfeld Clayton School of IT Monash University April 2015 Ron Steinfeld FIT5124 Advanced Topics in SecurityLecture 5: Secure

729 views • 26 slides
TARDIS Implementing Secure Protocols on Embedded Devices without Clocks Amir Rahmati ,

TARDIS Implementing Secure Protocols on Embedded Devices without Clocks Amir Rahmati ,

TARDIS Implementing Secure Protocols on Embedded Devices without Clocks Amir Rahmati , Mastooreh Salajegheh, Dan Holcomb 1 , Jacob Sorber 2 , Wayne Burleson, Kevin Fu 1 UC Berkeley 2 Dartmouth Collage The Problem Slow Brute Force attacks on

173 views • 6 slides
Secure protocols on BIP-taproot 2019-06-08 Jonas Nick jonasd.nick@gmail.com

Secure protocols on BIP-taproot 2019-06-08 Jonas Nick jonasd.nick@gmail.com

Secure protocols on BIP-taproot 2019-06-08 Jonas Nick jonasd.nick@gmail.com https://nickler.ninja @n1ckler GPG: 36C7 1A37 C9D9 88BD E825 08D9 B1A7 0E4F 8DCD 0366 Disclaimer Its not at all certain that a BIP-taproot softfork activates in

375 views • 25 slides
Preprocessing Based Verification of Multiparty Protocols with an Honest Majority 20.07.17 Alisa

Preprocessing Based Verification of Multiparty Protocols with an Honest Majority 20.07.17 Alisa

Preprocessing Based Verification of Multiparty Protocols with an Honest Majority 20.07.17 Alisa Pankova Roman Jagomgis Peeter Laud 1 / 10 Secure Multiparty Computation 2 / 10 Secure Multiparty Computation 2 / 10 Secure Multiparty

641 views • 38 slides
Usability and Security of Out-Of-Band Channels in Secure Device Pairing Protocols Ronald Kainda,

Usability and Security of Out-Of-Band Channels in Secure Device Pairing Protocols Ronald Kainda,

Outline Introduction HISPs Proposed OOB Methods Experimental Design Results Analysis and Discussion Conclusion Usability and Security of Out-Of-Band Channels in Secure Device Pairing Protocols Ronald Kainda, Ivan Flechais, and A.W.

670 views • 41 slides
Formal verification of privacy (for RFID protocols) Stphanie Delaune quipe EMSEC (IRISA),

Formal verification of privacy (for RFID protocols) Stphanie Delaune quipe EMSEC (IRISA),

Formal verification of privacy (for RFID protocols) Stphanie Delaune quipe EMSEC (IRISA), CNRS, France Tuesday, September 13th, 2016 Security protocols everywhere ! Cryptographic protocols small programs designed to secure

923 views • 56 slides
Practical Secure Two-Party Computation and Applications Lecture 3: Tools and Applications

Practical Secure Two-Party Computation and Applications Lecture 3: Tools and Applications

Practical Secure Two-Party Computation and Applications Lecture 3: Tools and Applications Estonian Winter School in Computer Science 2016 Overview of this lecture Part 2: ABY Part 3: GSHADE Special Purpose Protocols Generic Protocols

819 views • 52 slides
Outline Security Protocols Societal issues and cryptography CS 239 Key recovery

Outline Security Protocols Societal issues and cryptography CS 239 Key recovery

Outline Security Protocols Societal issues and cryptography CS 239 Key recovery cryptosystems Computer Security Designing secure protocols February 10, 2003 Basic protocols Key exchange Lecture 8 Lecture 8 Page 1 Page

148 views • 10 slides
Secure Protocols in a Hostile World for CHES 2015 Matthew Green Johns Hopkins University

Secure Protocols in a Hostile World for CHES 2015 Matthew Green Johns Hopkins University

Secure Protocols in a Hostile World for CHES 2015 Matthew Green Johns Hopkins University Why this talk? Why this presentation? These people are wrong solved problem Algorithms Protocol Design Unsolved Implementation Library

1.11k views • 80 slides
Secure Protocols for Secrecy Hanane Houmani and Mohamed Mejri LSFM Research Group Computer

Secure Protocols for Secrecy Hanane Houmani and Mohamed Mejri LSFM Research Group Computer

Secure Protocols for Secrecy Hanane Houmani and Mohamed Mejri LSFM Research Group Computer Science Department LAVAL University Quebec, Canada Houmani, 2003 p. 1/25 c Outline Motivations Related works Overview Protocol Modelling

518 views • 33 slides
Analysing privacy-type properties in cryptographic protocols Stphanie Delaune Univ Rennes,

Analysing privacy-type properties in cryptographic protocols Stphanie Delaune Univ Rennes,

Analysing privacy-type properties in cryptographic protocols Stphanie Delaune Univ Rennes, CNRS, IRISA, France Thursday, July 12th, 2018 Cryptographic protocols everywhere ! Cryptographic protocols small programs designed to secure

849 views • 80 slides
Secure Cryptographic Protocol Execution based on Runtime Verification Secure Communication in

Secure Cryptographic Protocol Execution based on Runtime Verification Secure Communication in

Secure Cryptographic Protocol Execution based on Runtime Verification Secure Communication in the Quantum Era (SPS G5448) February 5th, 2020 Christian Colombo Mark Vella Cryptographic Protocols Design Proofs to validate design against

467 views • 20 slides
Selfishness in packet forwarding/ Secure protocols for behavior enforcement Security and

Selfishness in packet forwarding/ Secure protocols for behavior enforcement Security and

Selfishness in packet forwarding/ Secure protocols for behavior enforcement Security and Cooperation in Wireless Networks Georg-August University Gttingen Part I: Selfishness in packet forwarding the operation of multi-hop wireless networks

860 views • 36 slides

More recommend